Didier Stevens

Tuesday 20 February 2018

Update: pecheck.py Version 0.7.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version.

pecheck-v0_7_2.zip (https)
MD5: 2A501CD2D15E1108B909B7FCEDFBDA13
SHA256: 9CACA5A41A84049FE6B0D5807A31B7FC5B1A5AC71B3FD3BE4EAC71A96BBDFB3E

Monday 19 February 2018

Update: oledump.py Version 0.0.33

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump can output the content of all streams in JSON format, and has a new plugin for MSI files: plugin_msi.py.

oledump_V0_0_33.zip (https)
MD5: E5F879766B5C1C899E75E2F2A8ED9533
SHA256: 2B7C9565880F14E8A431F7819926EE801DE129458E682FAAF99FEF41AFA49934

Sunday 18 February 2018

Update: translate.py Version 2.5.3

Filed under: My Software,Update — Didier Stevens @ 0:00

I had to be sure that every 4th byte in a file was identical:

After some thinking, I thought I could use my translate program to select every 4th byte (position % 4 == 3) and then calculate byte statistics. But actually, translate.py can use a (complex) Python expression/program to translate each byte of a file, but it can not be used to select particular bytes. So I made a small change: if the Python expression used with translate.py returns value None (in stead of a numeric value), then the result is not send to output. This way, input bytes can be dropped/deleted.

translate_v2_5_3.zip (https)
MD5: F3C01FCA74A84F1712BAF187E9FE479F
SHA256: 4CA311456EDE5A43097D4E567F225CFF2A68D47B96A261FC935F2A0F1CD4EB0F

Monday 12 February 2018

Update: pdfid.py Version 0.2.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version for  bugs reported by different users, more details in history.

pdfid_v0_2_4.zip (https)
MD5: 36D5554BC881E7E21382ADA1305ED6F4
SHA256: C1DA287C9C06E3158F79CECF9C2E9A7773FC57FC92021F17B79DDD4B1E5DBB2A

Sunday 11 February 2018

Update: jpegdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of jpegdump adds option -e: extract jpeg images to disk.

jpegdump_V0_0_4.zip (https)
MD5: 496B6F2B0C0EEF919F7C6E20B9C1ADF6
SHA256: 5D150AE050610B6DB11FBE8B44E385A80800971AF1810F67531BB17A1373C770

Saturday 10 February 2018

Update: hash.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of hash.py can recurse into directories by using new option –recursedir.

hash_V0_0_2.zip (https)
SHA256: F768BCBE035ADF099C2AFA41CADB2ABD9514D54E6D361AF5610277B8A70D6B7D

Tuesday 6 February 2018

Update: python-per-line version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of python-per-line adds option -i to ignore errors when evaluating the provided Python expression.

python-per-line_V0_0_3.zip (https)
MD5: 40B787E184EBAAD91A9104BF1BF1BF1A
SHA256: 1D7CAE95B5EA169286E4B1528D834D814A474A86240B9975385968B2BADF59AB

Wednesday 31 January 2018

Update: rtfdump.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

In this version, I’ve changed the output for “level 0”. Level 0 is actually the remainder, e.g. what comes after the last balanced curly brace. In a normal RTF document, there should be no remainder.

rtfdump_V0_0_7.zip (https)
MD5: 59F86BA57D67CB78B9D863AFEA710709
SHA256: 1A8EDD4F73F020F44B0AAB39FC3A1C313C81BF8A1E031A76D8B8C85E34116DD6

Tuesday 30 January 2018

Update: translate.py Version 2.5.2

Filed under: My Software,Update — Didier Stevens @ 0:00

Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post.

But it’s still not that practical, copying that onliner from my blog post, so I’m releasing a new version of translate.py where I defined function GzipD as that onliner (and I also defined ZlibD).

Here is how I use build-in function GzipD to decompress the malicious payload:

translate_v2_5_2.zip (https)
MD5: 1499C7D9C03928F2CE90BAA813A982DA
SHA256: 34451966781CA9821CD66AEF54379A3B47576CD4FCE8CBEFD9EFA3DA06E49CE9

Monday 29 January 2018

New Tool: jpegdump.py

Filed under: My Software — Didier Stevens @ 0:00

jpegdump.py is a tool I developed to analyze JPEG images. I have used it for a couple of ISC diary entries: Analyzing JPEG files, It is a resume – Part 3 and A strange JPEG file.

This tool reads binary files and parses the JPEG markers inside them:

It can help with corrupted images, here is an example of a JPEG file that was partially overwritten by ransomware:

The partial image starts from marker 3.

With options -f and -c, one can search through binary files with embedded JPEG images, like this Google Chrome process dump:

For more information, take a look at the man page: jpegdump.py -m


jpegdump_V0_0_3.zip (https)
MD5: 929F3EC096AEBEC642C44C6A6EE2895E
SHA256: C5C1CA151C7E24FB6E305E5116BE7B6BC4C417810217249D3831BE5805BBAA9F

Next Page »

Blog at WordPress.com.